Memory Corruption Affecting vyper package, versions [,0.2.9)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-VYPER-1252242
- published 20 Apr 2021
- disclosed 19 Apr 2021
- credit Thomas Jay Rush
How to fix?
Upgrade vyper to version 0.2.9 or higher.
Overview
vyper is a Pythonic Smart Contract Language for the EVM.
Affected versions of this package are vulnerable to Memory Corruption. A data handling issue exists with certain forwarder-style proxies deployed using Vyper's built-in create_forwarder_to function prior to the added support of EIP-1167 style forwarder proxies.
For data corruption to potentially arise, one would need all the following conditions to occur:
- use of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function;
- there is a function that returns more than 4096 bytes; and
- there is no data sanitation on the value returned.
The issue was patched when support was added for EIP-1167 style forward-style proxies.
References
CVSS Scores
version 3.1